1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * NXP Wireless LAN device driver: 802.11n RX Re-ordering
4  *
5  * Copyright 2011-2020 NXP
6  */
7 
8 #include "decl.h"
9 #include "ioctl.h"
10 #include "util.h"
11 #include "fw.h"
12 #include "main.h"
13 #include "wmm.h"
14 #include "11n.h"
15 #include "11n_rxreorder.h"
16 
17 /* This function will dispatch amsdu packet and forward it to kernel/upper
18  * layer.
19  */
20 static int mwifiex_11n_dispatch_amsdu_pkt(struct mwifiex_private *priv,
21 					  struct sk_buff *skb)
22 {
23 	struct rxpd *local_rx_pd = (struct rxpd *)(skb->data);
24 	int ret;
25 
26 	if (le16_to_cpu(local_rx_pd->rx_pkt_type) == PKT_TYPE_AMSDU) {
27 		struct sk_buff_head list;
28 		struct sk_buff *rx_skb;
29 
30 		__skb_queue_head_init(&list);
31 
32 		skb_pull(skb, le16_to_cpu(local_rx_pd->rx_pkt_offset));
33 		skb_trim(skb, le16_to_cpu(local_rx_pd->rx_pkt_length));
34 
35 		ieee80211_amsdu_to_8023s(skb, &list, priv->curr_addr,
36 					 priv->wdev.iftype, 0, NULL, NULL, false);
37 
38 		while (!skb_queue_empty(&list)) {
39 			struct rx_packet_hdr *rx_hdr;
40 
41 			rx_skb = __skb_dequeue(&list);
42 			rx_hdr = (struct rx_packet_hdr *)rx_skb->data;
43 			if (ISSUPP_TDLS_ENABLED(priv->adapter->fw_cap_info) &&
44 			    ntohs(rx_hdr->eth803_hdr.h_proto) == ETH_P_TDLS) {
45 				mwifiex_process_tdls_action_frame(priv,
46 								  (u8 *)rx_hdr,
47 								  skb->len);
48 			}
49 
50 			if (priv->bss_role == MWIFIEX_BSS_ROLE_UAP)
51 				ret = mwifiex_uap_recv_packet(priv, rx_skb);
52 			else
53 				ret = mwifiex_recv_packet(priv, rx_skb);
54 			if (ret == -1)
55 				mwifiex_dbg(priv->adapter, ERROR,
56 					    "Rx of A-MSDU failed");
57 		}
58 		return 0;
59 	}
60 
61 	return -1;
62 }
63 
64 /* This function will process the rx packet and forward it to kernel/upper
65  * layer.
66  */
67 static int mwifiex_11n_dispatch_pkt(struct mwifiex_private *priv,
68 				    struct sk_buff *payload)
69 {
70 
71 	int ret;
72 
73 	if (!payload) {
74 		mwifiex_dbg(priv->adapter, INFO, "info: fw drop data\n");
75 		return 0;
76 	}
77 
78 	ret = mwifiex_11n_dispatch_amsdu_pkt(priv, payload);
79 	if (!ret)
80 		return 0;
81 
82 	if (priv->bss_role == MWIFIEX_BSS_ROLE_UAP)
83 		return mwifiex_handle_uap_rx_forward(priv, payload);
84 
85 	return mwifiex_process_rx_packet(priv, payload);
86 }
87 
88 /*
89  * This function dispatches all packets in the Rx reorder table until the
90  * start window.
91  *
92  * There could be holes in the buffer, which are skipped by the function.
93  * Since the buffer is linear, the function uses rotation to simulate
94  * circular buffer.
95  */
96 static void
97 mwifiex_11n_dispatch_pkt_until_start_win(struct mwifiex_private *priv,
98 					 struct mwifiex_rx_reorder_tbl *tbl,
99 					 int start_win)
100 {
101 	struct sk_buff_head list;
102 	struct sk_buff *skb;
103 	int pkt_to_send, i;
104 
105 	__skb_queue_head_init(&list);
106 	spin_lock_bh(&priv->rx_reorder_tbl_lock);
107 
108 	pkt_to_send = (start_win > tbl->start_win) ?
109 		      min((start_win - tbl->start_win), tbl->win_size) :
110 		      tbl->win_size;
111 
112 	for (i = 0; i < pkt_to_send; ++i) {
113 		if (tbl->rx_reorder_ptr[i]) {
114 			skb = tbl->rx_reorder_ptr[i];
115 			__skb_queue_tail(&list, skb);
116 			tbl->rx_reorder_ptr[i] = NULL;
117 		}
118 	}
119 
120 	/*
121 	 * We don't have a circular buffer, hence use rotation to simulate
122 	 * circular buffer
123 	 */
124 	for (i = 0; i < tbl->win_size - pkt_to_send; ++i) {
125 		tbl->rx_reorder_ptr[i] = tbl->rx_reorder_ptr[pkt_to_send + i];
126 		tbl->rx_reorder_ptr[pkt_to_send + i] = NULL;
127 	}
128 
129 	tbl->start_win = start_win;
130 	spin_unlock_bh(&priv->rx_reorder_tbl_lock);
131 
132 	while ((skb = __skb_dequeue(&list)))
133 		mwifiex_11n_dispatch_pkt(priv, skb);
134 }
135 
136 /*
137  * This function dispatches all packets in the Rx reorder table until
138  * a hole is found.
139  *
140  * The start window is adjusted automatically when a hole is located.
141  * Since the buffer is linear, the function uses rotation to simulate
142  * circular buffer.
143  */
144 static void
145 mwifiex_11n_scan_and_dispatch(struct mwifiex_private *priv,
146 			      struct mwifiex_rx_reorder_tbl *tbl)
147 {
148 	struct sk_buff_head list;
149 	struct sk_buff *skb;
150 	int i, j, xchg;
151 
152 	__skb_queue_head_init(&list);
153 	spin_lock_bh(&priv->rx_reorder_tbl_lock);
154 
155 	for (i = 0; i < tbl->win_size; ++i) {
156 		if (!tbl->rx_reorder_ptr[i])
157 			break;
158 		skb = tbl->rx_reorder_ptr[i];
159 		__skb_queue_tail(&list, skb);
160 		tbl->rx_reorder_ptr[i] = NULL;
161 	}
162 
163 	/*
164 	 * We don't have a circular buffer, hence use rotation to simulate
165 	 * circular buffer
166 	 */
167 	if (i > 0) {
168 		xchg = tbl->win_size - i;
169 		for (j = 0; j < xchg; ++j) {
170 			tbl->rx_reorder_ptr[j] = tbl->rx_reorder_ptr[i + j];
171 			tbl->rx_reorder_ptr[i + j] = NULL;
172 		}
173 	}
174 	tbl->start_win = (tbl->start_win + i) & (MAX_TID_VALUE - 1);
175 
176 	spin_unlock_bh(&priv->rx_reorder_tbl_lock);
177 
178 	while ((skb = __skb_dequeue(&list)))
179 		mwifiex_11n_dispatch_pkt(priv, skb);
180 }
181 
182 /*
183  * This function deletes the Rx reorder table and frees the memory.
184  *
185  * The function stops the associated timer and dispatches all the
186  * pending packets in the Rx reorder table before deletion.
187  */
188 static void
189 mwifiex_del_rx_reorder_entry(struct mwifiex_private *priv,
190 			     struct mwifiex_rx_reorder_tbl *tbl)
191 {
192 	int start_win;
193 
194 	if (!tbl)
195 		return;
196 
197 	spin_lock_bh(&priv->adapter->rx_proc_lock);
198 	priv->adapter->rx_locked = true;
199 	if (priv->adapter->rx_processing) {
200 		spin_unlock_bh(&priv->adapter->rx_proc_lock);
201 		flush_workqueue(priv->adapter->rx_workqueue);
202 	} else {
203 		spin_unlock_bh(&priv->adapter->rx_proc_lock);
204 	}
205 
206 	start_win = (tbl->start_win + tbl->win_size) & (MAX_TID_VALUE - 1);
207 	mwifiex_11n_dispatch_pkt_until_start_win(priv, tbl, start_win);
208 
209 	del_timer_sync(&tbl->timer_context.timer);
210 	tbl->timer_context.timer_is_set = false;
211 
212 	spin_lock_bh(&priv->rx_reorder_tbl_lock);
213 	list_del(&tbl->list);
214 	spin_unlock_bh(&priv->rx_reorder_tbl_lock);
215 
216 	kfree(tbl->rx_reorder_ptr);
217 	kfree(tbl);
218 
219 	spin_lock_bh(&priv->adapter->rx_proc_lock);
220 	priv->adapter->rx_locked = false;
221 	spin_unlock_bh(&priv->adapter->rx_proc_lock);
222 
223 }
224 
225 /*
226  * This function returns the pointer to an entry in Rx reordering
227  * table which matches the given TA/TID pair.
228  */
229 struct mwifiex_rx_reorder_tbl *
230 mwifiex_11n_get_rx_reorder_tbl(struct mwifiex_private *priv, int tid, u8 *ta)
231 {
232 	struct mwifiex_rx_reorder_tbl *tbl;
233 
234 	spin_lock_bh(&priv->rx_reorder_tbl_lock);
235 	list_for_each_entry(tbl, &priv->rx_reorder_tbl_ptr, list) {
236 		if (!memcmp(tbl->ta, ta, ETH_ALEN) && tbl->tid == tid) {
237 			spin_unlock_bh(&priv->rx_reorder_tbl_lock);
238 			return tbl;
239 		}
240 	}
241 	spin_unlock_bh(&priv->rx_reorder_tbl_lock);
242 
243 	return NULL;
244 }
245 
246 /* This function retrieves the pointer to an entry in Rx reordering
247  * table which matches the given TA and deletes it.
248  */
249 void mwifiex_11n_del_rx_reorder_tbl_by_ta(struct mwifiex_private *priv, u8 *ta)
250 {
251 	struct mwifiex_rx_reorder_tbl *tbl, *tmp;
252 
253 	if (!ta)
254 		return;
255 
256 	spin_lock_bh(&priv->rx_reorder_tbl_lock);
257 	list_for_each_entry_safe(tbl, tmp, &priv->rx_reorder_tbl_ptr, list) {
258 		if (!memcmp(tbl->ta, ta, ETH_ALEN)) {
259 			spin_unlock_bh(&priv->rx_reorder_tbl_lock);
260 			mwifiex_del_rx_reorder_entry(priv, tbl);
261 			spin_lock_bh(&priv->rx_reorder_tbl_lock);
262 		}
263 	}
264 	spin_unlock_bh(&priv->rx_reorder_tbl_lock);
265 
266 	return;
267 }
268 
269 /*
270  * This function finds the last sequence number used in the packets
271  * buffered in Rx reordering table.
272  */
273 static int
274 mwifiex_11n_find_last_seq_num(struct reorder_tmr_cnxt *ctx)
275 {
276 	struct mwifiex_rx_reorder_tbl *rx_reorder_tbl_ptr = ctx->ptr;
277 	struct mwifiex_private *priv = ctx->priv;
278 	int i;
279 
280 	spin_lock_bh(&priv->rx_reorder_tbl_lock);
281 	for (i = rx_reorder_tbl_ptr->win_size - 1; i >= 0; --i) {
282 		if (rx_reorder_tbl_ptr->rx_reorder_ptr[i]) {
283 			spin_unlock_bh(&priv->rx_reorder_tbl_lock);
284 			return i;
285 		}
286 	}
287 	spin_unlock_bh(&priv->rx_reorder_tbl_lock);
288 
289 	return -1;
290 }
291 
292 /*
293  * This function flushes all the packets in Rx reordering table.
294  *
295  * The function checks if any packets are currently buffered in the
296  * table or not. In case there are packets available, it dispatches
297  * them and then dumps the Rx reordering table.
298  */
299 static void
300 mwifiex_flush_data(struct timer_list *t)
301 {
302 	struct reorder_tmr_cnxt *ctx =
303 		from_timer(ctx, t, timer);
304 	int start_win, seq_num;
305 
306 	ctx->timer_is_set = false;
307 	seq_num = mwifiex_11n_find_last_seq_num(ctx);
308 
309 	if (seq_num < 0)
310 		return;
311 
312 	mwifiex_dbg(ctx->priv->adapter, INFO, "info: flush data %d\n", seq_num);
313 	start_win = (ctx->ptr->start_win + seq_num + 1) & (MAX_TID_VALUE - 1);
314 	mwifiex_11n_dispatch_pkt_until_start_win(ctx->priv, ctx->ptr,
315 						 start_win);
316 }
317 
318 /*
319  * This function creates an entry in Rx reordering table for the
320  * given TA/TID.
321  *
322  * The function also initializes the entry with sequence number, window
323  * size as well as initializes the timer.
324  *
325  * If the received TA/TID pair is already present, all the packets are
326  * dispatched and the window size is moved until the SSN.
327  */
328 static void
329 mwifiex_11n_create_rx_reorder_tbl(struct mwifiex_private *priv, u8 *ta,
330 				  int tid, int win_size, int seq_num)
331 {
332 	int i;
333 	struct mwifiex_rx_reorder_tbl *tbl, *new_node;
334 	u16 last_seq = 0;
335 	struct mwifiex_sta_node *node;
336 
337 	/*
338 	 * If we get a TID, ta pair which is already present dispatch all
339 	 * the packets and move the window size until the ssn
340 	 */
341 	tbl = mwifiex_11n_get_rx_reorder_tbl(priv, tid, ta);
342 	if (tbl) {
343 		mwifiex_11n_dispatch_pkt_until_start_win(priv, tbl, seq_num);
344 		return;
345 	}
346 	/* if !tbl then create one */
347 	new_node = kzalloc(sizeof(struct mwifiex_rx_reorder_tbl), GFP_KERNEL);
348 	if (!new_node)
349 		return;
350 
351 	INIT_LIST_HEAD(&new_node->list);
352 	new_node->tid = tid;
353 	memcpy(new_node->ta, ta, ETH_ALEN);
354 	new_node->start_win = seq_num;
355 	new_node->init_win = seq_num;
356 	new_node->flags = 0;
357 
358 	spin_lock_bh(&priv->sta_list_spinlock);
359 	if (mwifiex_queuing_ra_based(priv)) {
360 		if (priv->bss_role == MWIFIEX_BSS_ROLE_UAP) {
361 			node = mwifiex_get_sta_entry(priv, ta);
362 			if (node)
363 				last_seq = node->rx_seq[tid];
364 		}
365 	} else {
366 		node = mwifiex_get_sta_entry(priv, ta);
367 		if (node)
368 			last_seq = node->rx_seq[tid];
369 		else
370 			last_seq = priv->rx_seq[tid];
371 	}
372 	spin_unlock_bh(&priv->sta_list_spinlock);
373 
374 	mwifiex_dbg(priv->adapter, INFO,
375 		    "info: last_seq=%d start_win=%d\n",
376 		    last_seq, new_node->start_win);
377 
378 	if (last_seq != MWIFIEX_DEF_11N_RX_SEQ_NUM &&
379 	    last_seq >= new_node->start_win) {
380 		new_node->start_win = last_seq + 1;
381 		new_node->flags |= RXREOR_INIT_WINDOW_SHIFT;
382 	}
383 
384 	new_node->win_size = win_size;
385 
386 	new_node->rx_reorder_ptr = kcalloc(win_size, sizeof(void *),
387 					   GFP_KERNEL);
388 	if (!new_node->rx_reorder_ptr) {
389 		kfree(new_node);
390 		mwifiex_dbg(priv->adapter, ERROR,
391 			    "%s: failed to alloc reorder_ptr\n", __func__);
392 		return;
393 	}
394 
395 	new_node->timer_context.ptr = new_node;
396 	new_node->timer_context.priv = priv;
397 	new_node->timer_context.timer_is_set = false;
398 
399 	timer_setup(&new_node->timer_context.timer, mwifiex_flush_data, 0);
400 
401 	for (i = 0; i < win_size; ++i)
402 		new_node->rx_reorder_ptr[i] = NULL;
403 
404 	spin_lock_bh(&priv->rx_reorder_tbl_lock);
405 	list_add_tail(&new_node->list, &priv->rx_reorder_tbl_ptr);
406 	spin_unlock_bh(&priv->rx_reorder_tbl_lock);
407 }
408 
409 static void
410 mwifiex_11n_rxreorder_timer_restart(struct mwifiex_rx_reorder_tbl *tbl)
411 {
412 	u32 min_flush_time;
413 
414 	if (tbl->win_size >= MWIFIEX_BA_WIN_SIZE_32)
415 		min_flush_time = MIN_FLUSH_TIMER_15_MS;
416 	else
417 		min_flush_time = MIN_FLUSH_TIMER_MS;
418 
419 	mod_timer(&tbl->timer_context.timer,
420 		  jiffies + msecs_to_jiffies(min_flush_time * tbl->win_size));
421 
422 	tbl->timer_context.timer_is_set = true;
423 }
424 
425 /*
426  * This function prepares command for adding a BA request.
427  *
428  * Preparation includes -
429  *      - Setting command ID and proper size
430  *      - Setting add BA request buffer
431  *      - Ensuring correct endian-ness
432  */
433 int mwifiex_cmd_11n_addba_req(struct host_cmd_ds_command *cmd, void *data_buf)
434 {
435 	struct host_cmd_ds_11n_addba_req *add_ba_req = &cmd->params.add_ba_req;
436 
437 	cmd->command = cpu_to_le16(HostCmd_CMD_11N_ADDBA_REQ);
438 	cmd->size = cpu_to_le16(sizeof(*add_ba_req) + S_DS_GEN);
439 	memcpy(add_ba_req, data_buf, sizeof(*add_ba_req));
440 
441 	return 0;
442 }
443 
444 /*
445  * This function prepares command for adding a BA response.
446  *
447  * Preparation includes -
448  *      - Setting command ID and proper size
449  *      - Setting add BA response buffer
450  *      - Ensuring correct endian-ness
451  */
452 int mwifiex_cmd_11n_addba_rsp_gen(struct mwifiex_private *priv,
453 				  struct host_cmd_ds_command *cmd,
454 				  struct host_cmd_ds_11n_addba_req
455 				  *cmd_addba_req)
456 {
457 	struct host_cmd_ds_11n_addba_rsp *add_ba_rsp = &cmd->params.add_ba_rsp;
458 	struct mwifiex_sta_node *sta_ptr;
459 	u32 rx_win_size = priv->add_ba_param.rx_win_size;
460 	u8 tid;
461 	int win_size;
462 	uint16_t block_ack_param_set;
463 
464 	if ((GET_BSS_ROLE(priv) == MWIFIEX_BSS_ROLE_STA) &&
465 	    ISSUPP_TDLS_ENABLED(priv->adapter->fw_cap_info) &&
466 	    priv->adapter->is_hw_11ac_capable &&
467 	    memcmp(priv->cfg_bssid, cmd_addba_req->peer_mac_addr, ETH_ALEN)) {
468 		spin_lock_bh(&priv->sta_list_spinlock);
469 		sta_ptr = mwifiex_get_sta_entry(priv,
470 						cmd_addba_req->peer_mac_addr);
471 		if (!sta_ptr) {
472 			spin_unlock_bh(&priv->sta_list_spinlock);
473 			mwifiex_dbg(priv->adapter, ERROR,
474 				    "BA setup with unknown TDLS peer %pM!\n",
475 				    cmd_addba_req->peer_mac_addr);
476 			return -1;
477 		}
478 		if (sta_ptr->is_11ac_enabled)
479 			rx_win_size = MWIFIEX_11AC_STA_AMPDU_DEF_RXWINSIZE;
480 		spin_unlock_bh(&priv->sta_list_spinlock);
481 	}
482 
483 	cmd->command = cpu_to_le16(HostCmd_CMD_11N_ADDBA_RSP);
484 	cmd->size = cpu_to_le16(sizeof(*add_ba_rsp) + S_DS_GEN);
485 
486 	memcpy(add_ba_rsp->peer_mac_addr, cmd_addba_req->peer_mac_addr,
487 	       ETH_ALEN);
488 	add_ba_rsp->dialog_token = cmd_addba_req->dialog_token;
489 	add_ba_rsp->block_ack_tmo = cmd_addba_req->block_ack_tmo;
490 	add_ba_rsp->ssn = cmd_addba_req->ssn;
491 
492 	block_ack_param_set = le16_to_cpu(cmd_addba_req->block_ack_param_set);
493 	tid = (block_ack_param_set & IEEE80211_ADDBA_PARAM_TID_MASK)
494 		>> BLOCKACKPARAM_TID_POS;
495 	add_ba_rsp->status_code = cpu_to_le16(ADDBA_RSP_STATUS_ACCEPT);
496 	block_ack_param_set &= ~IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK;
497 
498 	/* If we don't support AMSDU inside AMPDU, reset the bit */
499 	if (!priv->add_ba_param.rx_amsdu ||
500 	    (priv->aggr_prio_tbl[tid].amsdu == BA_STREAM_NOT_ALLOWED))
501 		block_ack_param_set &= ~BLOCKACKPARAM_AMSDU_SUPP_MASK;
502 	block_ack_param_set |= rx_win_size << BLOCKACKPARAM_WINSIZE_POS;
503 	add_ba_rsp->block_ack_param_set = cpu_to_le16(block_ack_param_set);
504 	win_size = (le16_to_cpu(add_ba_rsp->block_ack_param_set)
505 					& IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK)
506 					>> BLOCKACKPARAM_WINSIZE_POS;
507 	cmd_addba_req->block_ack_param_set = cpu_to_le16(block_ack_param_set);
508 
509 	mwifiex_11n_create_rx_reorder_tbl(priv, cmd_addba_req->peer_mac_addr,
510 					  tid, win_size,
511 					  le16_to_cpu(cmd_addba_req->ssn));
512 	return 0;
513 }
514 
515 /*
516  * This function prepares command for deleting a BA request.
517  *
518  * Preparation includes -
519  *      - Setting command ID and proper size
520  *      - Setting del BA request buffer
521  *      - Ensuring correct endian-ness
522  */
523 int mwifiex_cmd_11n_delba(struct host_cmd_ds_command *cmd, void *data_buf)
524 {
525 	struct host_cmd_ds_11n_delba *del_ba = &cmd->params.del_ba;
526 
527 	cmd->command = cpu_to_le16(HostCmd_CMD_11N_DELBA);
528 	cmd->size = cpu_to_le16(sizeof(*del_ba) + S_DS_GEN);
529 	memcpy(del_ba, data_buf, sizeof(*del_ba));
530 
531 	return 0;
532 }
533 
534 /*
535  * This function identifies if Rx reordering is needed for a received packet.
536  *
537  * In case reordering is required, the function will do the reordering
538  * before sending it to kernel.
539  *
540  * The Rx reorder table is checked first with the received TID/TA pair. If
541  * not found, the received packet is dispatched immediately. But if found,
542  * the packet is reordered and all the packets in the updated Rx reordering
543  * table is dispatched until a hole is found.
544  *
545  * For sequence number less than the starting window, the packet is dropped.
546  */
547 int mwifiex_11n_rx_reorder_pkt(struct mwifiex_private *priv,
548 				u16 seq_num, u16 tid,
549 				u8 *ta, u8 pkt_type, void *payload)
550 {
551 	struct mwifiex_rx_reorder_tbl *tbl;
552 	int prev_start_win, start_win, end_win, win_size;
553 	u16 pkt_index;
554 	bool init_window_shift = false;
555 	int ret = 0;
556 
557 	tbl = mwifiex_11n_get_rx_reorder_tbl(priv, tid, ta);
558 	if (!tbl) {
559 		if (pkt_type != PKT_TYPE_BAR)
560 			mwifiex_11n_dispatch_pkt(priv, payload);
561 		return ret;
562 	}
563 
564 	if ((pkt_type == PKT_TYPE_AMSDU) && !tbl->amsdu) {
565 		mwifiex_11n_dispatch_pkt(priv, payload);
566 		return ret;
567 	}
568 
569 	start_win = tbl->start_win;
570 	prev_start_win = start_win;
571 	win_size = tbl->win_size;
572 	end_win = ((start_win + win_size) - 1) & (MAX_TID_VALUE - 1);
573 	if (tbl->flags & RXREOR_INIT_WINDOW_SHIFT) {
574 		init_window_shift = true;
575 		tbl->flags &= ~RXREOR_INIT_WINDOW_SHIFT;
576 	}
577 
578 	if (tbl->flags & RXREOR_FORCE_NO_DROP) {
579 		mwifiex_dbg(priv->adapter, INFO,
580 			    "RXREOR_FORCE_NO_DROP when HS is activated\n");
581 		tbl->flags &= ~RXREOR_FORCE_NO_DROP;
582 	} else if (init_window_shift && seq_num < start_win &&
583 		   seq_num >= tbl->init_win) {
584 		mwifiex_dbg(priv->adapter, INFO,
585 			    "Sender TID sequence number reset %d->%d for SSN %d\n",
586 			    start_win, seq_num, tbl->init_win);
587 		tbl->start_win = start_win = seq_num;
588 		end_win = ((start_win + win_size) - 1) & (MAX_TID_VALUE - 1);
589 	} else {
590 		/*
591 		 * If seq_num is less then starting win then ignore and drop
592 		 * the packet
593 		 */
594 		if ((start_win + TWOPOW11) > (MAX_TID_VALUE - 1)) {
595 			if (seq_num >= ((start_win + TWOPOW11) &
596 					(MAX_TID_VALUE - 1)) &&
597 			    seq_num < start_win) {
598 				ret = -1;
599 				goto done;
600 			}
601 		} else if ((seq_num < start_win) ||
602 			   (seq_num >= (start_win + TWOPOW11))) {
603 			ret = -1;
604 			goto done;
605 		}
606 	}
607 
608 	/*
609 	 * If this packet is a BAR we adjust seq_num as
610 	 * WinStart = seq_num
611 	 */
612 	if (pkt_type == PKT_TYPE_BAR)
613 		seq_num = ((seq_num + win_size) - 1) & (MAX_TID_VALUE - 1);
614 
615 	if (((end_win < start_win) &&
616 	     (seq_num < start_win) && (seq_num > end_win)) ||
617 	    ((end_win > start_win) && ((seq_num > end_win) ||
618 				       (seq_num < start_win)))) {
619 		end_win = seq_num;
620 		if (((end_win - win_size) + 1) >= 0)
621 			start_win = (end_win - win_size) + 1;
622 		else
623 			start_win = (MAX_TID_VALUE - (win_size - end_win)) + 1;
624 		mwifiex_11n_dispatch_pkt_until_start_win(priv, tbl, start_win);
625 	}
626 
627 	if (pkt_type != PKT_TYPE_BAR) {
628 		if (seq_num >= start_win)
629 			pkt_index = seq_num - start_win;
630 		else
631 			pkt_index = (seq_num+MAX_TID_VALUE) - start_win;
632 
633 		if (tbl->rx_reorder_ptr[pkt_index]) {
634 			ret = -1;
635 			goto done;
636 		}
637 
638 		tbl->rx_reorder_ptr[pkt_index] = payload;
639 	}
640 
641 	/*
642 	 * Dispatch all packets sequentially from start_win until a
643 	 * hole is found and adjust the start_win appropriately
644 	 */
645 	mwifiex_11n_scan_and_dispatch(priv, tbl);
646 
647 done:
648 	if (!tbl->timer_context.timer_is_set ||
649 	    prev_start_win != tbl->start_win)
650 		mwifiex_11n_rxreorder_timer_restart(tbl);
651 	return ret;
652 }
653 
654 /*
655  * This function deletes an entry for a given TID/TA pair.
656  *
657  * The TID/TA are taken from del BA event body.
658  */
659 void
660 mwifiex_del_ba_tbl(struct mwifiex_private *priv, int tid, u8 *peer_mac,
661 		   u8 type, int initiator)
662 {
663 	struct mwifiex_rx_reorder_tbl *tbl;
664 	struct mwifiex_tx_ba_stream_tbl *ptx_tbl;
665 	struct mwifiex_ra_list_tbl *ra_list;
666 	u8 cleanup_rx_reorder_tbl;
667 	int tid_down;
668 
669 	if (type == TYPE_DELBA_RECEIVE)
670 		cleanup_rx_reorder_tbl = (initiator) ? true : false;
671 	else
672 		cleanup_rx_reorder_tbl = (initiator) ? false : true;
673 
674 	mwifiex_dbg(priv->adapter, EVENT, "event: DELBA: %pM tid=%d initiator=%d\n",
675 		    peer_mac, tid, initiator);
676 
677 	if (cleanup_rx_reorder_tbl) {
678 		tbl = mwifiex_11n_get_rx_reorder_tbl(priv, tid,
679 								 peer_mac);
680 		if (!tbl) {
681 			mwifiex_dbg(priv->adapter, EVENT,
682 				    "event: TID, TA not found in table\n");
683 			return;
684 		}
685 		mwifiex_del_rx_reorder_entry(priv, tbl);
686 	} else {
687 		ptx_tbl = mwifiex_get_ba_tbl(priv, tid, peer_mac);
688 		if (!ptx_tbl) {
689 			mwifiex_dbg(priv->adapter, EVENT,
690 				    "event: TID, RA not found in table\n");
691 			return;
692 		}
693 
694 		tid_down = mwifiex_wmm_downgrade_tid(priv, tid);
695 		ra_list = mwifiex_wmm_get_ralist_node(priv, tid_down, peer_mac);
696 		if (ra_list) {
697 			ra_list->amsdu_in_ampdu = false;
698 			ra_list->ba_status = BA_SETUP_NONE;
699 		}
700 		spin_lock_bh(&priv->tx_ba_stream_tbl_lock);
701 		mwifiex_11n_delete_tx_ba_stream_tbl_entry(priv, ptx_tbl);
702 		spin_unlock_bh(&priv->tx_ba_stream_tbl_lock);
703 	}
704 }
705 
706 /*
707  * This function handles the command response of an add BA response.
708  *
709  * Handling includes changing the header fields into CPU format and
710  * creating the stream, provided the add BA is accepted.
711  */
712 int mwifiex_ret_11n_addba_resp(struct mwifiex_private *priv,
713 			       struct host_cmd_ds_command *resp)
714 {
715 	struct host_cmd_ds_11n_addba_rsp *add_ba_rsp = &resp->params.add_ba_rsp;
716 	int tid, win_size;
717 	struct mwifiex_rx_reorder_tbl *tbl;
718 	uint16_t block_ack_param_set;
719 
720 	block_ack_param_set = le16_to_cpu(add_ba_rsp->block_ack_param_set);
721 
722 	tid = (block_ack_param_set & IEEE80211_ADDBA_PARAM_TID_MASK)
723 		>> BLOCKACKPARAM_TID_POS;
724 	/*
725 	 * Check if we had rejected the ADDBA, if yes then do not create
726 	 * the stream
727 	 */
728 	if (le16_to_cpu(add_ba_rsp->status_code) != BA_RESULT_SUCCESS) {
729 		mwifiex_dbg(priv->adapter, ERROR, "ADDBA RSP: failed %pM tid=%d)\n",
730 			    add_ba_rsp->peer_mac_addr, tid);
731 
732 		tbl = mwifiex_11n_get_rx_reorder_tbl(priv, tid,
733 						     add_ba_rsp->peer_mac_addr);
734 		if (tbl)
735 			mwifiex_del_rx_reorder_entry(priv, tbl);
736 
737 		return 0;
738 	}
739 
740 	win_size = (block_ack_param_set & IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK)
741 		    >> BLOCKACKPARAM_WINSIZE_POS;
742 
743 	tbl = mwifiex_11n_get_rx_reorder_tbl(priv, tid,
744 					     add_ba_rsp->peer_mac_addr);
745 	if (tbl) {
746 		if ((block_ack_param_set & BLOCKACKPARAM_AMSDU_SUPP_MASK) &&
747 		    priv->add_ba_param.rx_amsdu &&
748 		    (priv->aggr_prio_tbl[tid].amsdu != BA_STREAM_NOT_ALLOWED))
749 			tbl->amsdu = true;
750 		else
751 			tbl->amsdu = false;
752 	}
753 
754 	mwifiex_dbg(priv->adapter, CMD,
755 		    "cmd: ADDBA RSP: %pM tid=%d ssn=%d win_size=%d\n",
756 		add_ba_rsp->peer_mac_addr, tid, add_ba_rsp->ssn, win_size);
757 
758 	return 0;
759 }
760 
761 /*
762  * This function handles BA stream timeout event by preparing and sending
763  * a command to the firmware.
764  */
765 void mwifiex_11n_ba_stream_timeout(struct mwifiex_private *priv,
766 				   struct host_cmd_ds_11n_batimeout *event)
767 {
768 	struct host_cmd_ds_11n_delba delba;
769 
770 	memset(&delba, 0, sizeof(struct host_cmd_ds_11n_delba));
771 	memcpy(delba.peer_mac_addr, event->peer_mac_addr, ETH_ALEN);
772 
773 	delba.del_ba_param_set |=
774 		cpu_to_le16((u16) event->tid << DELBA_TID_POS);
775 	delba.del_ba_param_set |= cpu_to_le16(
776 		(u16) event->origninator << DELBA_INITIATOR_POS);
777 	delba.reason_code = cpu_to_le16(WLAN_REASON_QSTA_TIMEOUT);
778 	mwifiex_send_cmd(priv, HostCmd_CMD_11N_DELBA, 0, 0, &delba, false);
779 }
780 
781 /*
782  * This function cleans up the Rx reorder table by deleting all the entries
783  * and re-initializing.
784  */
785 void mwifiex_11n_cleanup_reorder_tbl(struct mwifiex_private *priv)
786 {
787 	struct mwifiex_rx_reorder_tbl *del_tbl_ptr, *tmp_node;
788 
789 	spin_lock_bh(&priv->rx_reorder_tbl_lock);
790 	list_for_each_entry_safe(del_tbl_ptr, tmp_node,
791 				 &priv->rx_reorder_tbl_ptr, list) {
792 		spin_unlock_bh(&priv->rx_reorder_tbl_lock);
793 		mwifiex_del_rx_reorder_entry(priv, del_tbl_ptr);
794 		spin_lock_bh(&priv->rx_reorder_tbl_lock);
795 	}
796 	INIT_LIST_HEAD(&priv->rx_reorder_tbl_ptr);
797 	spin_unlock_bh(&priv->rx_reorder_tbl_lock);
798 
799 	mwifiex_reset_11n_rx_seq_num(priv);
800 }
801 
802 /*
803  * This function updates all rx_reorder_tbl's flags.
804  */
805 void mwifiex_update_rxreor_flags(struct mwifiex_adapter *adapter, u8 flags)
806 {
807 	struct mwifiex_private *priv;
808 	struct mwifiex_rx_reorder_tbl *tbl;
809 	int i;
810 
811 	for (i = 0; i < adapter->priv_num; i++) {
812 		priv = adapter->priv[i];
813 		if (!priv)
814 			continue;
815 
816 		spin_lock_bh(&priv->rx_reorder_tbl_lock);
817 		list_for_each_entry(tbl, &priv->rx_reorder_tbl_ptr, list)
818 			tbl->flags = flags;
819 		spin_unlock_bh(&priv->rx_reorder_tbl_lock);
820 	}
821 
822 	return;
823 }
824 
825 /* This function update all the rx_win_size based on coex flag
826  */
827 static void mwifiex_update_ampdu_rxwinsize(struct mwifiex_adapter *adapter,
828 					   bool coex_flag)
829 {
830 	u8 i;
831 	u32 rx_win_size;
832 	struct mwifiex_private *priv;
833 
834 	dev_dbg(adapter->dev, "Update rxwinsize %d\n", coex_flag);
835 
836 	for (i = 0; i < adapter->priv_num; i++) {
837 		if (!adapter->priv[i])
838 			continue;
839 		priv = adapter->priv[i];
840 		rx_win_size = priv->add_ba_param.rx_win_size;
841 		if (coex_flag) {
842 			if (priv->bss_type == MWIFIEX_BSS_TYPE_STA)
843 				priv->add_ba_param.rx_win_size =
844 					MWIFIEX_STA_COEX_AMPDU_DEF_RXWINSIZE;
845 			if (priv->bss_type == MWIFIEX_BSS_TYPE_P2P)
846 				priv->add_ba_param.rx_win_size =
847 					MWIFIEX_STA_COEX_AMPDU_DEF_RXWINSIZE;
848 			if (priv->bss_type == MWIFIEX_BSS_TYPE_UAP)
849 				priv->add_ba_param.rx_win_size =
850 					MWIFIEX_UAP_COEX_AMPDU_DEF_RXWINSIZE;
851 		} else {
852 			if (priv->bss_type == MWIFIEX_BSS_TYPE_STA)
853 				priv->add_ba_param.rx_win_size =
854 					MWIFIEX_STA_AMPDU_DEF_RXWINSIZE;
855 			if (priv->bss_type == MWIFIEX_BSS_TYPE_P2P)
856 				priv->add_ba_param.rx_win_size =
857 					MWIFIEX_STA_AMPDU_DEF_RXWINSIZE;
858 			if (priv->bss_type == MWIFIEX_BSS_TYPE_UAP)
859 				priv->add_ba_param.rx_win_size =
860 					MWIFIEX_UAP_AMPDU_DEF_RXWINSIZE;
861 		}
862 
863 		if (adapter->coex_win_size && adapter->coex_rx_win_size)
864 			priv->add_ba_param.rx_win_size =
865 					adapter->coex_rx_win_size;
866 
867 		if (rx_win_size != priv->add_ba_param.rx_win_size) {
868 			if (!priv->media_connected)
869 				continue;
870 			for (i = 0; i < MAX_NUM_TID; i++)
871 				mwifiex_11n_delba(priv, i);
872 		}
873 	}
874 }
875 
876 /* This function check coex for RX BA
877  */
878 void mwifiex_coex_ampdu_rxwinsize(struct mwifiex_adapter *adapter)
879 {
880 	u8 i;
881 	struct mwifiex_private *priv;
882 	u8 count = 0;
883 
884 	for (i = 0; i < adapter->priv_num; i++) {
885 		if (adapter->priv[i]) {
886 			priv = adapter->priv[i];
887 			if (GET_BSS_ROLE(priv) == MWIFIEX_BSS_ROLE_STA) {
888 				if (priv->media_connected)
889 					count++;
890 			}
891 			if (GET_BSS_ROLE(priv) == MWIFIEX_BSS_ROLE_UAP) {
892 				if (priv->bss_started)
893 					count++;
894 			}
895 		}
896 		if (count >= MWIFIEX_BSS_COEX_COUNT)
897 			break;
898 	}
899 	if (count >= MWIFIEX_BSS_COEX_COUNT)
900 		mwifiex_update_ampdu_rxwinsize(adapter, true);
901 	else
902 		mwifiex_update_ampdu_rxwinsize(adapter, false);
903 }
904 
905 /* This function handles rxba_sync event
906  */
907 void mwifiex_11n_rxba_sync_event(struct mwifiex_private *priv,
908 				 u8 *event_buf, u16 len)
909 {
910 	struct mwifiex_ie_types_rxba_sync *tlv_rxba = (void *)event_buf;
911 	u16 tlv_type, tlv_len;
912 	struct mwifiex_rx_reorder_tbl *rx_reor_tbl_ptr;
913 	u8 i, j;
914 	u16 seq_num, tlv_seq_num, tlv_bitmap_len;
915 	int tlv_buf_left = len;
916 	int ret;
917 	u8 *tmp;
918 
919 	mwifiex_dbg_dump(priv->adapter, EVT_D, "RXBA_SYNC event:",
920 			 event_buf, len);
921 	while (tlv_buf_left > sizeof(*tlv_rxba)) {
922 		tlv_type = le16_to_cpu(tlv_rxba->header.type);
923 		tlv_len  = le16_to_cpu(tlv_rxba->header.len);
924 		if (size_add(sizeof(tlv_rxba->header), tlv_len) > tlv_buf_left) {
925 			mwifiex_dbg(priv->adapter, WARN,
926 				    "TLV size (%zu) overflows event_buf buf_left=%d\n",
927 				    size_add(sizeof(tlv_rxba->header), tlv_len),
928 				    tlv_buf_left);
929 			return;
930 		}
931 
932 		if (tlv_type != TLV_TYPE_RXBA_SYNC) {
933 			mwifiex_dbg(priv->adapter, ERROR,
934 				    "Wrong TLV id=0x%x\n", tlv_type);
935 			return;
936 		}
937 
938 		tlv_seq_num = le16_to_cpu(tlv_rxba->seq_num);
939 		tlv_bitmap_len = le16_to_cpu(tlv_rxba->bitmap_len);
940 		if (size_add(sizeof(*tlv_rxba), tlv_bitmap_len) > tlv_buf_left) {
941 			mwifiex_dbg(priv->adapter, WARN,
942 				    "TLV size (%zu) overflows event_buf buf_left=%d\n",
943 				    size_add(sizeof(*tlv_rxba), tlv_bitmap_len),
944 				    tlv_buf_left);
945 			return;
946 		}
947 
948 		mwifiex_dbg(priv->adapter, INFO,
949 			    "%pM tid=%d seq_num=%d bitmap_len=%d\n",
950 			    tlv_rxba->mac, tlv_rxba->tid, tlv_seq_num,
951 			    tlv_bitmap_len);
952 
953 		rx_reor_tbl_ptr =
954 			mwifiex_11n_get_rx_reorder_tbl(priv, tlv_rxba->tid,
955 						       tlv_rxba->mac);
956 		if (!rx_reor_tbl_ptr) {
957 			mwifiex_dbg(priv->adapter, ERROR,
958 				    "Can not find rx_reorder_tbl!");
959 			return;
960 		}
961 
962 		for (i = 0; i < tlv_bitmap_len; i++) {
963 			for (j = 0 ; j < 8; j++) {
964 				if (tlv_rxba->bitmap[i] & (1 << j)) {
965 					seq_num = (MAX_TID_VALUE - 1) &
966 						(tlv_seq_num + i * 8 + j);
967 
968 					mwifiex_dbg(priv->adapter, ERROR,
969 						    "drop packet,seq=%d\n",
970 						    seq_num);
971 
972 					ret = mwifiex_11n_rx_reorder_pkt
973 					(priv, seq_num, tlv_rxba->tid,
974 					 tlv_rxba->mac, 0, NULL);
975 
976 					if (ret)
977 						mwifiex_dbg(priv->adapter,
978 							    ERROR,
979 							    "Fail to drop packet");
980 				}
981 			}
982 		}
983 
984 		tlv_buf_left -= (sizeof(tlv_rxba->header) + tlv_len);
985 		tmp = (u8 *)tlv_rxba  + sizeof(tlv_rxba->header) + tlv_len;
986 		tlv_rxba = (struct mwifiex_ie_types_rxba_sync *)tmp;
987 	}
988 }
989